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Certificates are 
Everywhere Sum O 


Google Cloud Platform 


Microsoft 
Azure 


Services in Public 


Clouds 
Public-Facing [e] 
Services 
API 
endpoints 


Machine-to-machine 
communication 


Internal Services 
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Evolving security indicators 


Users should expect that the web is safe by default, and they’ll be warned 
when there’s an issue’. 
Security Team 
Google 


thttps://blog.chromium.org/2018/05/evolving-chromes 


-security-indicators.html 
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Timeline of Chrome s 
Evol 


Treatment of HTTPS pages 


Current (Chrome 67) @ Secure example.com 


Sep. 2018 (Chrome 69) â example.com 


Eventually example.com 
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Timeline of Chrome’s Evolution 


Eventual treatment of all 
HTTP pages in Chrome: 


A Notsecure example.com 
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Schedule to disable 
TLS 1.0/1.1 


+ Chrome: Jan 2020 
e Firefox/Safari: March 2020 
AE Edge First half of 2020 


TLS 1.3 is faster and removes 
support for insecure features and 
ciohers 
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“© SSL Pulse 


The Good © Qualys. SSL Labs Home Projects Qualys.com Contact 
e No SHA1 or 1024 bit keys You are here: Home > jects > SSL Pulse 
SSL Pulse 


SSL Pulse is a continuous and global dashboard for monitoring the quality of SSL / TLS support over time across 150,000 SSL- and TLS-enabled 


The Bad (-35% inadequate) websites, based on Alexa's list of the most popular sites in the world. 
= Monthly Scan: November 02, 2018 | 4 Previous | 
e Expired certificates: -5,200 


e Expiring in the next 2 weeks: -4,500 
e Weak/Insecure cipher suites: -4,200 Ep 137502 ox -a 


SSL Security Summary SSL Labs Grade Distribution 


+12% 50% B 
1 SSLv2/SS Iys: ~15,000 64.3% pe di ál i ere 
secure sites -0.6% s 


11,492 sites - 0.3 % 
October 2016 
8.7 % (11,766 sites) 


T ESA OFO 000 (7 2A) A nn w 
+ RC4 enabled: -22,000 (16%) 


— 


c D F 
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Certificates renewal 


Expired SSL Certificate knocks offline web services and 
websites 


* free.fr 
Délivré par: RapidSSL SHA256 CA - G3 


Expiré le lundi 7 août 2017 à 16:29:34 heure d'été d'Europe centrale 
@ Ce certificat a expiré 


FreeWiFi Pokemon GO 
August 2017 January 2018 


l e | 


Linkedin | Your connection is not secure 
December 2017 TE a aa OR a ee eee 


stolen, Firefox has not connected to this website. 


Learn more. 


Report errors like this to help Mozilla identify and block malicious sites 
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Current State of Most Organizations 


Limited 
Visibility 


95% of organizations 


don’t know where 
certs are in their 
networks 


Limited ownership 
information 


The unknown is 
difficult to manage 


Expirations 
Missed 


Unplanned 
outages 


Many more “near 
misses” 


Compliance 


Certificates from 
unapproved CAs 


Responding to 
audits are manually 
intensive exercises 


Reliance on 
Manual Processes 


Spreadsheets are 
error prone and out- 
of-date 


Expensive, not 
scalable as 
certificates increase 


Troubleshooting 
issues is challenging 
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Fonemen 


The average Global 5,000 
company spends about $15 million 
to recover 
from the loss of business due to 
a certificate outage! 


Ihtto://www.csoonline.com/article/2987186/browser-security/ 
expired-certificates-cost-businesses-15-million-per-outage.html 
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Challenges of 
Existing Solutions 


Visibility 


Point tools, increasing effort and ownership costs 


Scalability 


| K il Operational silos 
a G e ae Work in on-premises or cloud-only mode 


Require multiple or complex deployments to cover 
large environments 


Maturity 


Most solutions are off-the-shelf vulnerability-only or 
certificate-only “tools” 
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Single Pane of Glass 


What’s DevOps 
doing, | just 


found 5,000 ; 
We have no We can’t self-signed Network is 


visibility me inspect certificates! Bown 

certificates encrypted fed) Certificate 

outside the traffic expired 
firewall again! 
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Introducing 
Qualys CertView 


Discover, inventory, monitor 
certificates 


Discover, inventory, monitor host 
configurations & vulnerabilities 


Coverage across both on-premises 
and cloud environments 


Renew certificates from the same 
olatform 


Certificate View DASHBOARD CERTIFICATES ASSETS Qualys Demo (quays_ad) 


Default Dashboard v 
° © 


TOTAL CERTIFICATES CERTIFICATES BY ISSUING AUTHORITIES 
CERTIFICATES BY EXPIRATION TOP 5 CERTIFICATES BY COMMON NAME 
marengi ran = 
= a == 
a 


CERTIFICATES BY HASHING ALGORITHM CERTIFICATES BY KEY LENGTH 


20 B iou 6 
s 8 1024 LI 1 
s 2 
ha SAENE yon ah 
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Outage Remediation 


Certificate Grades 


Baseline Normal 
Usage/ 
Full Visibility 


Audits and 
Compliance 


Certificate Renewal 


Use Cases 


Stop expired certificates from interrupting business 


Find out if your TLS configurations are 
following best practices 


Establish a baseline to be able to detect anomalies 


Achieve audit success and fast remediation 


Renew expiring certificates 
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Key Advantages of 
Qualys CertView 


TOP 5 CERTIFICATES BY COMMON NAME 


SHA2SG MASA 


Uses the same Gualys 
scanners already deployed for 
Vulnerability Management or 
Policy Compliance 


Qualys CertView meets much 
of the common use cases in 
current version 


Certificate Enrollment/ 
Renewal available this month 


Simplified delivery through 
Qualys Cloud Platform - easy 
for existing VM/PC customers 
to trial and deploy 


Attractive Pricing 
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CertView Releases and Roadmap 


Q4 2018" 
CA Imports 
Enroll/Renew(Digicert) 


Approval workflow 
Scan Consolidation 


Q2 2019* 


Enroll/Renew (Microsoft CA/ GoDaddy) 
ServiceNow CMDB integration 


T 


Q1 2019* 


A 


Pls 


Alerts 
Assign ownership 
Enroll/Renew (Comodo/ 
Let’sEncrypt) 
Certificate Validation 


Deploy on Apache 


mi 


Q3 2019" 
Cloud Agent support 
Enroll/Renew (Entrust/EJBCA) 
Deploy on IIS 
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DEMO 


Certificate View 


@sc. QUALYS SECURITY CONFERENCE 2018 


Thank You 


Imane Rouijel 
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adonneger@qualys.com 


